Dependency 'org.json' has vulnerabilities

[jrpedrianes]

What happened:

Dependency org.json is a transitive dependency from everit-json-schema that has vulnerabilities (CVE Name: Cx78f40514-81ff)

stleary/JSON-java#484

The everit-json-schema maintainer released a new version fixing it: https://github.com/everit-org/json-schema/releases

[tsurdilo]

Thanks for reporting this. Will update and test.

[cb-manick]

I will take a look at this

[jrpedrianes]

Here you have a link where the issue is examined: stleary/JSON-java#484, the first is not correct 🤷‍♂️, I'm going to change it.

Also indicate that commons-validator depends on commons-collections and in version 1.6 has a minor issue, see:

https://issues.apache.org/jira/browse/COLLECTIONS-701
checkmarx-ts/checkmarx-github-action#187

[jrpedrianes]

sorry :(, closed by mistake 😮‍💨

[tsurdilo]

@jrpedrianes no problem, interested to find out what other projects are using for CVE reporting. Something free would be nice to have so we can react on these issues faster.

[jrpedrianes]

I think that you can use this https://github.com/apps/whitesource-for-github-com for free in github public repositories.

But Im not sure,

[tsurdilo]

Ok yeah let's give that try definitely, thanks.

[tsurdilo]

enabled for all sdk repos

[tsurdilo]

weird, whitesource is part of our build now but its not reporting this particular issue

[manick02]

@jrpedrianes what tool identified this vulnerability? @tsurdilo how can I access vulnerability report for this repo

[tsurdilo]

@manick02 this was the last scan performed: https://github.com/serverlessworkflow/sdk-java/runs/6085322739
did not have any reported issues.
Probably still best to upgrade https://github.com/serverlessworkflow/sdk-java/blob/main/pom.xml#L62
to latest version 1.14.1 as @jrpedrianes mentioned - https://mvnrepository.com/artifact/com.github.erosb/everit-json-schema

that should be it for this issue i think (would also need to cherry-pick it to 4.0.x branch)

[jrpedrianes]

@manick02 I use a tool integrated into my IDE.

I use IntelliJ IDEA 2022.1 (Ultimate Edition) which has a panel called "Dependency checker" that alerts me of all these vulnerabilities. For example in your case alerts me two:

• Cxdb5a1032-eda2
• Cx78f40514-81ff

[jrpedrianes]

Seems that my IDE is using Checkmarx under the hood.

I don't know if this tool has a free plan, but seems that you can integrate it into Github:

• https://github.com/marketplace/actions/checkmarx-cxflow-action
• https://checkmarx.atlassian.net/wiki/spaces/SD/pages/2459697268/GitHub+Actions+Integration

or launch directly from maven:

• https://checkmarx.atlassian.net/wiki/spaces/SD/pages/1339130085/Maven+Plugin

[jrpedrianes]

Also, Github has a tool named "Dependabot alerts", that scans the project dependencies, but I don't know if transitive ones are detected too. You can enable it in Settings -> Code security and analysis -> Dependabot alerts

[manick02]

Thanks @jrpedrianes I will check it out, and will try to setup some form of this tool

@manick02 I use a tool integrated into my IDE.

I use IntelliJ IDEA 2022.1 (Ultimate Edition) which has a panel called "Dependency checker" that alerts me of all these vulnerabilities. For example in your case alerts me two:

• Cxdb5a1032-eda2
• Cx78f40514-81ff

[jrpedrianes]

Any news about this?

[tsurdilo]

@manick02 ^^

[manick02]

@tsurdilo fix for json schema vulnerability is already approved by you and its in main branch already

[tsurdilo]

oops sorry checking

[tsurdilo]

fixed via manick02@3c6813d